RIPS Tech security analysts express that the privilege escalation bugs in WordPress permit hackers to acquire access features that were meant for administrators merely. A hacker with a user function as low as presenter on WordPress, the open-source free Content Management System built on MySQL and PHP, could effort the security vulnerabilities to generate posts of post sorts they regularly should not have acquire access to.
Tthe researchers say that the major reason of the matter is a logic bug in the mode in which WordPress generates blog posts,. This leads to a Object Injection and Stored XSS in the WordPress kernel, as well as to more critical bugs in the famous WordPress plugins Jetpack and Contact Form 7. WordPress assists the generation and publishing of various post categories as it is being a blogging software at the core and merely permits plugins to sign up new post categories, to offer new and ideal features. Acquiring access to sign up the post types can only be limited to administrators, therefore extenuating security threats.
But, RIPS identified that the security concerns utilizeed by WordPress could be routed to generate posts of any sort and abuse the features of tailored post varieties. Moreover, counting upon the installed plugins, more critical bugs can be employed.
“When for example WordPress’s most popular plugin, Contact Form 7, which has over 5 million active installs, was used, attackers were able to read the database credentials of the target WordPress site. Most of the top WordPress plugins are vulnerable to this privilege escalation,” RIPS explains.
WordPress sets which activity the user requires to carry out when a user tries to generate or modify a post, the post kind the user is attempting to generate, and whether they are permitted to utilize that post kind. The previous step is executed by confirming a nonce that can be acquired from the page editor of the post sort in question.
What the analysts identified was that a harmful user in the donor role does not have acquired access to the page and nonce of the illustration post kind, however can gain the nonce of a average post, which has the inner post sort post. Therefore, they could fit the post ID to a post with the post kind post and route the nonce confirmation.
While this would merely permit the hacker to modify an present post, it does not permit them to alter the post kind. But, this merely occurs if a particular parameter is employed, and WordPress does not set the existence of a second parameter, therefore permitting a hacker to accomplish the nonce confirmation and generate a new post with an absolute post kind.
A lower advantaged user can generate posts of any sort, however the affect on a mark website is impacted by the installation of plugins and the properties the post kinds that come with the installed plugins offer. Therefore, a hacker could maltreat the vulnerability in Contact Form 7 to publish the blog contents of the wp-config.php file of the target site.
Due to the plugin permitted the setting of local file attachments, a hacker could “create a new contact form, set the local file attachment to ../wp-config.php and set the email to which the data should be sent to his own, submit the form and then read the contents of the most important WordPress file,” the researchers explain.
Thousands of plugins are possibly assailable to such threats according to RIPS. In addition, one of internal post types of WordPress is influenced by a Object Injection and Stored XSS, which could consequence in a hacker taking over the website.